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SECURE EXBmTTQN ARCHITECTURE 

Technical Field of the Invenfcion 

The present invention relates to circuitry for 
providing data security, which circuitry contains at 
least one processor and at least one storage circuit. The 
present invention also relates to a method for providing 
data security in circuitry containing at least one 
processor and at least one storage circuit. 

Background Ar^ 

Various electronic devices, such as mobile tele- 
communication terminals, portable coirputers and PDAs 
require access to security related components such as 
application programs, cryptographical keys, cryptogra- 
phical key data material, intermediate cryptographical 
15 calculation results, passwords, authentication of exter- 
nally downloaded data etc. It is often necessary that 
these components, and the processing of them, is kept 
secret within the electronic device. Ideally, they shall 
be known by as few people as possible. This is due to the 
fact that a device, for example a mobile terminal, could 
possibly be tampered with if these components are known. 
Access to these types of components might aid an attacker 
with the malicious intent to manipulate a terminal. 
Further, in the devices, these above mentioned 
25 security related components will be handled, processed 
and managed alongside more general components which do 
not require any secure processing. Therefore, a secure 
execution environment is introduced in which environment 
a processor within the electronic device is able to 
access the security related components. Access to the 
secure execution environment, processing in it and exit 
from it should be carefully controlled. Prior art 
hardware comprising this secure environment is often 
enclosed within a tarrper resistant packaging. It should 
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not be possible to probe or perform measurements and 
tests on this type of hardware which could result in the 
revealing of security related components and the 
processing of them. 

An electronic device processing information in a 
secure environment and storing security related informa- 
tion in a secure manner is shown in US patent No. 
5,892,900. The patent discloses a virtual distribution 
environment securing, administering and controlling 
electronic information use. It comprises a rights 
protection solution for distributors, financial service 
providers, end-users and others. The invention uses 
electronic devices called Secure Processing Units to 
provide security and secure information storage and 
communication. Such a device, including a processor, is 
enclosed within a "tamper resistant security barrier", 
separating the secure environment from the outer world. 
The electronic device provides both the secure environ- 
ment and an unsecure environment, in which latter case 
the processor of the device has no access to the security 
related information. 

A problem that has to be solved is to enable for a 
third party to perform testing^ debugging and servicing 
of the electronic device and its software without risking 
25 that the third party is given access to information which 
makes it possible to manipulate the security related 
components of the device so as to affect the security 
functions when in the secure environment. It should be 
possible to move between the two environments smoothly, 
30 without having to initialize one or the other every time 
a movement is effected. 
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Sununary of the Invention 

It is an object of the present invention to provide 
a solution to the above given problem by proposing an 
architecture conprising a secure environment in which it 
5 is possible to store and process information such as 

cryptographical keys and other security related data in a 
secure way and still making it possible to test and debug 
the architecture and its accompanying software in an 
unsecure environment without giving access to the 
10 security data. 

This object is attained by the invention in a first 
aspect in the form of circuitry for providing data secu- 
rity, which circuitry contains at least one processor and 
at least one storage circuit according to claim 1 and in 
15 a second aspect in the form of a method for providing 
data security in circuitry containing at least one 
processor and at least one storage circuit according to 
claim 7. Preferred embodiments are defined by the 
dependent claims. 
20 According to the first aspect of the invention, 

circuitry is provided comprising at least one storage 
area in a storage circuity in which storage area 
protected data relating to circuitry security are 
located. The circuitry is arranged with mode setting 
25 means arranged to place a processor comprised in the 
circuitary in one of at least two different operating 
modes, the mode setting means being capable of altering 
the processor operating modes. Further, it comprises 
storage circuit access control means arranged to control 
30 the processor to gain access to the storage area in which 
protected data are located based on a first processor 
operating mode, and arranged to prevent the processor 
from accessing the storage area in which protected data 
are located , based on a second processor operating mode, 
35 thereby enabling the processor to execute non-verified 
software downloaded into the circuitry. 
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According to the second aspect of the invention, a 
method is provided wherein protected data relating to 
circuitry security is stored in a storage circuit, A 
processor is set in one of at least two different alter- 
5 able operating modes. The method further comprises the 
step of enabling the processor to access a storage area 
in which the protected data are located by setting the 
processor in a first operating mode and preventing the 
processor from accessing the storage area in which 
10 protected data are located by setting the processor in a 
second operating mode, thereby enabling the processor to 
execute non-verified software downloaded into the 
circuitry. 

The invention is based on the idea that circuitry is 
15 provided in which a processor is operable in at least two 
different modes, one first secure operating mode and one 
second unsecure operating mode. In the secure mode, the 
processor has access to security related data located in 
various memories located within the circuitry. The 
20 security data include cryptographical keys and algori- 
thms, software for booting the circuitry, secret data 
such as random numbers used as cryptographical key 
material, application programs etc. The circuitry can 
advantageously be used in mobile telecommunication 
25 terminals, but also in other electronic devices such as 
computers, PDAs or other devices with need for data 
protection. In the case where the circuitry is placed 
within a mobile telecommunication terminal, it might be 
desirable that the circuitry provides the terminal with a 
30 unique identification number and accompanying keys for 
cryptographic operations on the identification number. 
The access to these security data and the processing of 
them need to be restricted, since an intruder with access 
to security data could manipulate the terminal . When 
35 testing and/or debugging the terminal, access to security 
information is not allowed. For this reason, the 
processor is placed in the \insecure operating mode, in 
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which mode it is no longer given access to the protected 
data. 

The invention advantageously enables the processor 
of the circuitry to execute non-verified software down- 
5 loaded into the circuitry. This allows testing, debugging 
and servicing of the electronic device and its software 
without risking that a third party is given access to 
information which makes it possible to manipulate the 
security related components of the device so as to affect 
10 the security functions when in the secure environment. 

It should be noted that in US patent No. 5,892,900, 
the unsecure mode is the "normal" mode, used when trans- 
actions and communications must be secure, whereas in the 
present invention, the secure mode is the normal mode. In 
the present invention, unsecure mode is only entered 
during testing and/or debugging or other types of special 
cases when security data must be protected, i,e. when 
secure mode can not be practically maintained. 

The present invention eliminates the use for special- 
purpose terminals adapted for use in research and deve- 
lopment. During a development stage, it is sometimes a 
requirement to be able to download untrusted and/or 
unchecked code into terminals. By enabling the unsecure 
mode, a channel is provided into the terminal without 
25 giving access to security related components. Consequent- 
ly, the same terminal can be utilized for normal opera- 
tion as well as in the development stage. It should be 
understood that it is rather expensive to manufacture 
special purpose terminals. 

According to an embodiment of the invention, the 
circuitry of the invention is arranged with a timer 
controlling the time period during which the processor is 
in the unsecure mode. If other security controlling 
actions should fail, a maximum given time period is set 
35 during which access is given to unsecure processor mode. 
This restrains the possibility for an intruder to perform 
debugging and testing of the device. 



20 



30 
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According to another embodiment of the invention, 
authentication means are provided, which means being 
arranged to authenticate data externally provided to the 
terminal. An advantage with this feature is that during 
5 the manufacturing stage, and other stages where normal, 
secure operating mode is not yet activated, the terminal 
can be used for a limited time period, sufficient to load 
accepted, signed code into the terminal, it is also 
possible to download signed code packages into the 
10 terminal during secure mode operation. This facilitates 
the possibility to add new security features to the 
terminal, bringing flexibility to the architecture. The 
architecture enables the applications to be divided into 
secure and unsecure parts. The circuit checks the code 
15 packages which are signed appropriately. Secure applica- 
tions are downloaded to, and executed from, the storage 
area holding the protected data. This makes downloading 
of data smoother. If this feature was not present, it 
would be necessary to download secure applications and 
20 unsecure applications separately. 

According to yet another embodiment of the inven- 
tion, the circuitry is arranged with means for indication 
of the mode in which the processor is operating, it is 
appropriate that a mode register is set within the cir- 
25 cuitry, keeping track of the current mode. In case the 
circuitry is arranged within a mobile telecommunication 
terminal, it should be possible to indicate on the 
terminal display, via the terminal loudspeaker or in any 
other visual way, to a terminal user the fact that the 
30 terminal is operating in unsecure mode. This will draw 
the user's attention to the fact that unsecure mode has 
been entered. 

In accordance to further embodiments of the present 
invention, the mode setting means arranged to control the 
35 modes of the processor comprise an application program. 
This has the advantage that the mode could be set by the 
device itself, not having to rely on external signals. 
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Prom a security viewpoint, this is preferable since by 
controlling the application software, the setting of 
processor modes can also be controlled. It is also 
possible to have an external signal connected to the 
circuitry, by which signal it is possible to control the 
processor mode. By using an external signal, a mode 
change can be executed easy and fast, which can be 
advantageous in test environments. A combination of these 
two mode setting means is feasible. 



Brief De scription of the Drawing s 

The present invention will be described in greater 
detail with reference to the following drawings, wherein: 

Fig. 1 shows a block scheme of a preferred 
15 embodiment of circuitry for providing data security 
according to the present invention; and 

Pig. 2 shows a flow chart of a boot process for the 
circuitry according to the present invention. 



20 Description of Preferred Embodiments of the Invention 

Fig. 1 shows a block scheme of a preferred embodi- 
ment of the present invention. As can be seen, the 
architecture in Fig. 1 contains both software and 
hardware. The architecture is implemented in the form of 
25 an ASIC (Application Specific Integrated Circuit) . The 
processing part of the architecture contains a CPU and a 
digital signal processor DSP. These two processor can be 
merged into one single processor. Normally the CPU 
handles communication operations and the DSP handles the 
30 con^jutation of data. 

The secure environment comprises a ROM from which 
the ASIC ±g booted. This ROM contains boot application 
software and an operating system OS. The operating system 
controls and executes applications and offers various 
35 security services to the applications such as control of 
application software integrity and access control. The 
operating system has access to the ASIC hardware and it 
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cannot itself provide rigorous hardware security, but it 
must rely on the security architecture. 

Certain application programs residing in the secure 
environment, i.e. the protected data storage area, has 
precedence over other application programs. In a mobile 
telecommunication terminal, in which the ASIC can be 
arranged, a boot software should exist, which software 
includes the main functionality of the terminal. It is 
not possible to boot the terminal to normal operating 
mode without this software. This has the advantage that 
by controlling this boot software, it is also possible to 
control the initial activation of every terminal. 

The secure environment also con^riees RAM for stor- 
age of data and applications. The RAM preferably stores 
15 so called protected applications, which are smaller size 
applications* for performing security critical operations 
inside the secure environment. Normally, the way to 
employ protected applications is to let "normal'' applica- 
tions request services from a certain protected applica- 
20 tion. New protected applications can be downloaded into 
the secure environment at any time, which would not be 
the case if they would reside in ROM, Secure environment 
software controls the download and execution of protected 
applications. Only signed protected applications are 
25 allowed to run. The protected applications can access any 
resources in the secure environment and they can also 
communicate with normal applications for the provision of 
security services. 

In the secure environment, a fuse memory is com- 
30 prised containing a unique random number that is gene- 
rated and programmed into the ASIC during manufacturing. 
This random number is used as the identity of a specific 
ASIC and is further employed to derive keys for crypto- 
graphic operations. Further, storage circuit access 
35 control means in the form of a security control register 
is arranged. The purpose of the security control register 
is to give the CPU access to the secure environment, or 
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preventing the CPU from accessing the secure environment, 
depending on the mode set in the register. The processor 
operating modes can be set in the register hy application 
software, resulting in the fact that the architecture 
does not have to rely on external signals. From a secu- 
rity viewpoint, this is preferable since by controlling 
the application software, the setting of processor modes 
can also be controlled. It is also possible to have an 
external signal (not shown) connected to the ASIC, by 
which signal it is possible to set the security control 
register. By using an external signal, a mode change can 
be executed easy and fast, which can be advantageous in- 
test environments. A combination of these two mode 
setting means is feasible. 

Preferably, the mobile telecommunication terminal 
should indicate on the terminal display, via the terminal 
loudspeaker or in any other visual way, to a terminal 
-user the fact that the terminal is operating in unsecure 
mode. This will make the user aware of the fact that 
20 unsecure mode has been entered. 

A watchdog is arranged for various timer purposes. 
In case signat\ire verification of downloaded software 
fails, checksums does not match or some other error is 
detected, the operation of the ASIC, or the mobile tele- 
25 communication terminal it is arranged in, should stop. 
This should preferably not be done immediately when the 
error occurs. A random timeout, e.g. different time spans 
up to 3 0 seconds, is desired. This makes it more diffi- 
cult for an attacker to detect the instant at which the 
30 terminal has detected the error. The disabling of watch- 
dog updating is set in the security control register. The 
result of this operation is that the terminal will reset 
itself. The watchdog can also control the time period 
during which the processor is in the unsecure mode. If 
35 other security controlling actions should fail, a maximum 
given time period is set during which access is given to 
unsecure processor mode. This restrains the possibility 
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for an intruder to perform debugging and testing of the 
device . 

The CPU is connected to the secure environment 
hardware via a memory management unit MMU that handles 
memoiy operations, it also maps virtual addresses to 
physical addresses in memory for processes executed in 
the CPU. The MMU is located on a bus containing data, 
address and control signals. It is also possible to have 
a second MMU arranged to handle the memory operations for 
the ASIC RAM located outside the secure environment. A 
standard bridge circuit for limitation of data visibility 
on the bus is arranged within the ASIC. The architecture 
should be enclosed within a tamper resistant packaging. 
It should not be possible to probe or perform measure- 
15 ments and tests on this type of hardware which could 
result in the revealing of security related components 
and the processing of them. The DSP has access to other 
peripherals such as a direct memory access (DMA) unit. 
DMA is provided by the architectxire to allow data to be 
20 sent directly from the DSP to a memory. The DSP is freed 
from involvement with the data transfer, thus speeding up 
overall operation. Other peripherals such as RAMs, flash 
memories and additional processors can be provided 
outside the ASIC, A RAM is also arranged outside the 
25 secure environment in the ASIC, which RAM holds the non- 
verified software executed by the CPU. 

By providing the above described architecture in 
which the CPU is operable in two different modes, one 
secure operating mode and one unsecure operating mode, 
30 the CPU of the architecture can be enabled to execute 
non-verified software downloaded into the ASIC. This is 
due to the fact that only verified software has access to 
the secure environment. This allows testing, debugging 
and servicing of the mobile telecommunication terminal 
35 and its software without risking that a third party is 
given access to information which makes it possible to 
manipulate the security related components of the device 
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so as to affect the security functions when in the secure 
environment . 

In the secure mode, the processor has access to 
security related data located within the secure environ- 
ment. The security data include cryptograph! cal keys and 
algorithms, software for booting the circuitry, secret 
data such as random numbers used as crypt ©graphical key 
material, application programs etc. The circuitry can 
advantageously be used in mobile telecommunication 
terminals, but also in other electronic devices such as 
computers, PDAs or other devices with need for data 
protection. The access to these security data and the 
processing of them need to be restricted, since an 
intruder with access to security data could manipulate 
15 the terminal. When testing and/or debugging the terminal, 
access to security information is not allowed. For this 
reason, the processor is placed in the unsecure operating 
mode, in which mode it is no longer given access to the 
protected data within the secure environment. 

Fig. 2 illustrates a flow chart of the power up boot 
process for the architecture. At power up, ROM boot 
software activates secure mode for initial configuration. 
Then, signatures for the first protected application and 
operating system to be downloaded are checked. If the 
25 signatures are correct, the application and the operating 
system is downloaded into the secure environment RAM. 
When the desired software has been downloaded, the CPU is 
informed that the download is completed and the CPU 
starts executing the verified software. The operating 
system and protected application have thus been down- 
loaded into the secure environment in a secure and 
trusted manner. 

However, if the signature check fails or if no 
signature is present, unsecure mode is activated and the 
35 non-verified application is loaded into the ASIC RAM 
located outside the secure environment. Possibly, the 
watchdog is set to limit the time period during which the 
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unsecure mode is activate. A maximum time period is set 
during which the unsecure mode is active. When boot is 
completed, this non-verified application is executed by 
the CPU. The secure environment is now inaccessible. 

Even though the invention has been described with 
reference to specific exeinplifying embodiments thereof, 
tnany different alterations, modifications and the like 
will become apparent for those skilled in the art. The 
described embodiments are therefore not intended to limit 
the scope of the invention, as defined by the appended 
claims. 
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CLAIMS 

1. Circuitry for providing data security, which 
circuitry contains at least one processor and at lea.t 
one storage circuit and which circuitry comprises: 

at least one storage area in said storage circuit 
in which storage area protected data relating to 
circuitry security are located; 

mode setting means arranged to set said processor in 
one of at least two different operating modes, the mode 
setting means being capable of altering the processor 
operating mode; 

storage circuit access control means arranged to 
enable said processor to access said storage area in 
which said protected data are located when a first 
15 processor operating mode is set; and 

storage circuit access control means arranged to 
prevent said processor from accessing said storage area 
in which protected data are located when a second 
processor operating mode is set, thereby enabling said at 
least one processor to execute non-verified software 
downloaded into the circuitry. 

2. 



20 



25 



30 



The circuitry for providing data security 
according to claim 1, further con5)rising: 

a timer arranged to control the time period dxiring 
which the processor is in said second operating mode. 

3. The circuitry for providing data security 
according to claim 1 or 2, further comprising: 

authentication means arranged to authenticate 
software provided to the circuitry. 



4, The circuitry for providing data security 
according to any of the preceding claims, further 
35 conprising: 

means arranged to indicate in which mode the 
processor is operating. 
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5. 



15 



The circuitry for providing data security 
according to any of the preceding claims, wherein said 
mode setting means comprise an application program. 

6. The circuitry for providing data security 
according to any of the preceding claims, which circuitry 
IS coir^prised in a mobile telecommunication terminal. 

10 7. A method for providing data security in circuitry 

containing at least one processor and at least one 
storage circuit, which method comprises the steps of: 

storing protected data relating to circuitry 
security in said storage circuit; 

setting said processor in one of at least two 
different alterable operating modes; 

enabling said processor to access said storage area 
in which said protected data are located when a first 
processor operating mode is set,- and 

preventing said processor from accessing said 
storage area in which protected data are located when a 
second processor operating mode is set, thereby enabling 
said at least one processor to execute non-verified 
software downloaded into the circuitry. 

25 

8. The method for providing data security according 
to claim 7, further comprising the step of: 

controlling the time period dtiring which the 
processor is in said second operating mode by means of a 
30 timer. 

9. The method for providing data security according 
to claim 7 or 8, further comprising the step of; 

authenticating software provided to the circuitry. 



20 



35 



10. The method for providing data security according 
to any of claims 7-9, further cortprising the step of: 
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indicating in which mode the processor is operating. 

11. The method for providing data security according 
to any of claims 7-10, wherein the setting of said 
processor in one of at least two different alterable 
operating modes is performed by means of an application 
program. 

12 . The method for providing data security according 
to any of claims 7-ii, wherein the circuitry containing 
at least one processor and at least one storage circuit 
is comprised in a mobile telecommunication terminal . 
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ABSTRACT 

The present invention relates to circuitry and a 
method for providing data security, which circuitry 
contains at least one processor and at least one storage 
circuit. The invention is based on the idea that 
circuitry is provided in which a processor is operable in 
at least two different nwdee, one first secure operating 
mode and one second unsecure operating mode. In the 
secure mode, the processor has access to security related 
data located in various memories located within the 
circuitry. The access to these security data and the 
processing of them need to be restricted, since an 
intruder with access to security data could manipulate 
the circuitry. When testing and/or debugging the 
circuitry, access to security information is not allowed. 
For this reason, the processor is placed in the unsecure 
operating tnoda, in which mode it is no longer given 
access to the protected data. 
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